By Mandy Pang.
I just got back from MS Tech Ed in New Orleans. The hot topic was obvious: Microsoft’s new cloud platform, Windows Azure.
I attended multiple sessions (such as this one), and a central message was how easy Azure makes it for IT organizations to move their resources and applications to the cloud. One reason is the flexibility Azure provides to allow organizations to choose which applications to move to the cloud, versus which ones to keep on premise. You can design an approach that works best for you, or even make the transition in strategic increments.
Another key message was, if you settle on a hybrid cloud/premise solution, Azure allows you to keep your data access and authentication model simple. This is because Windows Azure Active Directory allows you to also move your Identity and Access Management (IAM) to the cloud, and manage access to both cloud and on-premise resources from just one Windows Azure AD. This enables single sign-on for cloud-hosted applications, as well as streamlines the users, groups, and roles IT must maintain.
Moving IAM to the cloud is a key feature of Windows Azure, and I can see why they wanted to emphasize this at TechEd, given a recognized reluctance among businesses to move sensitive data to the cloud. Strong authentication infrastructure and accurate authorization rules are clearly essential. Windows Azure AD counters the anxiety about cloud security with the comforting familiarity of IAM in AD. You do the same work you already do to manage access to on-premise resources: create Security Groups and apply Permissions.
However, this is where I am left with some questions. I get how authentication can be streamlined, with single sign-on authentication for all cloud-based and on-premise applications. But in terms of access control for data stored in these applications (the authorization piece), are we just moving our old overhead to the cloud?
We already know that container-based rules that rely on Security Groups can be difficult to maintain, especially when access control requirements grow very complex, and when there are many locations to protect. This manual process is famous for being error-prone and hard to troubleshoot. Plus, authorization rules created in AD will only apply to file servers. IT will still have to manage a separate set of permissions for all other applications, for example, in SharePoint.
The platform focus for moving data to the cloud, as well as the move to centralize the authentication infrastructure for cloud and premise-based systems, seems to suggest a logical next step: authorization management that is also platform-based (that is, data-level access controls that are cross-application and centrally managed). Is this what’s next?
_____
Mandy Pang is the Product Manager for Rights Management and Data Protection at NextLabs. She works with the Solutions Management team to devise best practices for securing and controlling data in order to develop solutions for Global 5000 business around partner collaboration, export regulations, IP and Data security
nextlabs.wordpress.com 
You’re hitting on the crux of the debate. Just applying the same-old groups and permissions to a third-party cloud service provider could be unsustainable – I agree with you there, better solutions are needed.
Perhaps a hybrid model involving both the premise and the cloud could make Azure work securely.
But, this then begs the question: what would an authorization solution look like with this hybrid model? My thought is that we’d need to externalize the authorization decision point so that regardless of the infrastructure, you’ll always be able to apply consistent policy-driven access and enforcement.
-Mandy
You made a good point. There is nothing new being done with regards to IAM. The only change is moving existing infrastructure to cloud. Although cost effective this approach has high risk associated since we are moving sensitive information to third party cloud service provider. With regards to cost saving, I do not agree much considering the financial requirements to move to the cloud. Sharepoint and access to other applications, databases, user repositories,…, etc. is also covered by SSO. Now this is what I think. I appreciate response, corrections, guidance from others in this regard. 🙂